News

Stephen de Vries, ContinuumSecurity founder, promoted the idea of continuous and visible security at Velocity Europe 2014. Stephen argued that the same kind of processes and tools that embedded QA in the whole workflow of an agile development process can be applied to security. BDD-Security is a security testing framework that follows the Given-When-Then approach and is built on top of JBehave.

Vormetric, a data security solutions provider has announced a partnership with DataStax, the company behind Apache Cassandra, to enhance the enterprise-class security features in the platform. The two companies will work together to enhance data-at-rest security that includes encryption, enhanced access controls and security intelligence in Apache Cassandra.

The 2014 CAST Research on Application Software Health (CRASH) report states that enterprise software built using a mixture of agile and waterfall methods will result in more robust and secure applications than those built using either agile or waterfall methods alone. InfoQ interviewed Bill Curtis about structural quality factors, and mixing agile and waterfall methods.

Google have announced that they will remove support for the obsolete SSL 3.0 after discovering vulnerabilities that may be exploitable by forcing clients or servers to downgrade. Removing SSL 3.0 may also unlock stalled negotiations with HTTP2. Read on for more details.

A common theme at the Splunk user conference is the idea that the users are the greatest threat. Even in a well-regulated enterprise where no one has more privileges than what’s needed to do their job, a typical user has more than enough ability to steal massive amounts of data or cause widespread problems. Fortscale seeks to address this issue by using the data that you are already collecting.

Most companies still manually track configuration changes using a wiki or spreadsheet. Only the most basic information such as IP addresses are included, as recording everything is just too tedious. Even knowing basic information such as who made the change is difficult and time consuming. Tripwire seeks to eliminate this problem by proactively monitoring configuration changes.

Traditional signature based anti-virus/malware software is suitable for home users, but not for corporations. As seen repeatedly in the news, targeted attacks against specific companies are becoming more and more common. To combat this threat, advanced threat detection techniques are needed.

CloudFlare have made SSL available to all free subscribers to its content delivery network (CDN) with Universal SSL. The move addresses both cost and complexity issues that have previously confronted web site and application owners wanting to deploy SSL. CloudFlare takes care of issuing a certificate at no cost to the end user, and enabling SSL becomes a selection from a dropdown menu.

A remote exploit (CVE-2014-6271) has been in bash discovered that potentially affects any application that uses environment variables to pass data from unsanitised content, such as CGI scripts. After the release went public, other exploits were discovered (CVE-2014-7169). Official patches have been released to fix them. (Originally posted 24 September, updated 25, 26 and 29 September)

The recent vulnerabilities in the Bash shell initially stemmed from a remote execution exploit, which was patched and made available through responsible disclosure before being announced. However, since the initial release there have been other flaws detected which became zero day threats. What exactly was the problem with Shellshock, and is it truly fixed? InfoQ explains what happened.

Teams can become so focused that they forget the world around them and risk losing contact with stakeholders. This makes it difficult for them to know what their customers need and how end users will use their products. At the ASAS2014 conference Daisy Rasing-de Joode will show how successful agile teams create synergy by being interdependent and highly collaborative with their environment.

Google's Chrome web browser team has announced a schedule to deprecate support for how the browser handles HTTPS certificates using SHA-1 signatures. Over the next 6 months the browser will utilize increasingly noticeable warnings for sites that still use SHA-1.